Many new restaurant owners can easily get lost in the logistics of opening and running a successful business. The journey from a mere thought to opening day can be long, expensive, and tiresome. It is easy to get lost in the paperwork to make sure everything is done properly, but sometimes things simply fall through the cracks. Following are the top three legal mistakes restaurant owners make.
Not Being Familiar with Local Liquor Laws
Once a restaurant has received their liquor license, it is their responsibility to know and abide by all local and federal liquor laws. The first step is to know what kind of liquor license you have, and what it allows you to serve. For example, a restaurant liquor license is the most general license and typically allows for the sale of all kinds of liquor, while restaurants who plan to make their own beer or wine need to have a brewpub liquor license. A beer and wine liquor license does not allow for the sale of hard liquor or spirits, and a tavern liquor license is for restaurants whose liquor sales comprise over half their total sales of food and liquor combined.
Once the kind of liquor license has been determined, the local laws will need to be adopted. For example, some localities do not allow unfinished bottles of wine to be taken home, while others have a limit of one drink per customer at a time. The failure of a restaurant to follow applicable liquor laws can result in heavy fines or a revocation of their liquor license altogether.
Unsafe Food Storage
It is crucial for restaurants to store and prepare food in a safe manner. Steve Lewis at Ambient Edge states, “Those in a food-related industry understand the narrow specifications for environmental controls and allowable fluctuations in temperature and humidity. It is important to make sure all food is stored at the proper temperatures for the safety and well-being of consumers.”
Refrigerators should be set to maintain a temperature of 40 degrees or below. In the event of a power outage or malfunction, food held at temperatures above 40 degrees for more than two hours is not considered safe for consumption. Improper food storage can result in fines and potential law suits, depending on whether anyone got sick from the improperly stored food.
Unfamiliarity with the Fair Labor Standards Act
The Fair Labor Standards Act establishes guidelines that apply to every restaurant across the United States. It establishes a federal minimum wage of $7.25 per hour, unless their specific state requires a higher wage. The act also prohibits deductions of wages for required uniforms, cash shortages, and customer walk-outs if the total deductions drop the employee’s wage below minimum wage.
Employees under the age of 18 may not perform hazardous job duties under any circumstances. These include: using bakery equipment, operating meat processing equipment, and operating or maintaining power-driven equipment like slices, grinders, and mixers.
Hoping to fly below the radar of cybercriminals is not an effective cybersecurity defense strategy. The value of digital assets and information can, and does, exist independent of a business’s size or revenue. From company or customer credit card data, banking or other financial information, to personal health-related records, company trade secrets or work product: if there is a business imperative – or legal or compliance requirement – to keep information confidential and secure, it holds value and your business should protect it.
However, many businesses do not understand the threats they face, the data they possess, how their employees, customers and vendors interact with the data, or the tools needed to defend against cyber threats. Large companies may have greater resources to defend against and respond to a data breach when it occurs, but are small and mid-sized businesses adequately prepared? Small and medium sized businesses need a set of tools they can use to defend against cyber threats – a cybersecurity tool kit.
CYBERSECURITY COMPANY POLICY DEVELOPMENT
Whether they know it or not and whether they want to or not, every employee guards virtual doors through which cybercriminals are waiting to be let in. Your employees must understand your company’s cybersecurity policy. Your company can do that by creating policies that are clear, not too dense and long, and are regularly updated. Good policies should also strike the right balance between being unnecessarily restrictive of employee creativity and productivity and security.
WHAT SHOULD BE IN THE CYBERSECURITY TOOL KIT?
No. 2– Assign Roles and Responsibilities. Cybersecurity is not just something you delegate to your IT professional. Everyone in your company has a role to play in protecting company data. Your IT professional should of course have a thorough understanding of cybersecurity threats and must be able to advise and implement technological tools to protect your business (i.e., data back-up, firewalls, etc.). However, there are cybersecurity responsibilities that likely fall outside of the bailiwick of your IT professional. Cybersecurity professionals speak of “layered security.” Th at concept encompasses an axiom of cybersecurity planning: the more sensitive the data, the more restricted the access should be. It makes sense for many businesses to take an inventory of the kinds of data it collects and stores. Once this is done, assign responsibility and access rights to the different types of data based on the level of sensitivity of the data.
No. 3 – Acceptable Use Policies (AUP). “Acceptable use policies” set your company’s expectations with employees on how they handle certain workplace technology, interface with the Internet and control physical access to entry points into your company’s network. Instead of one long AUP, consider drafting several “bitesized” AUPs. Your company should have AUPs for: email usage, mobile devices, Web browsing, social media, remote access to the company’s network, use of removable media and telephone usage. The currency of most cybercriminals is trust. The successful cybercriminal engages in “social engineering” to try and win your trust – for example, by making that phishing email appear to have come from a trustworthy source. Your company needs to train its employees on how to recognize and avoid these threats, and it can do so, in part, through a comprehensive set of AUPs.
No. 4 – Physical Workplace Security Policy. Because cyber crimes occur via the Internet, physical workplace security is oft en overlooked as a point of vulnerability. Your company should have a policy that establishes expectations about physical securing of laptops and mobile devices, positioning of desktop screens (away from public spaces), document retention, organization and securing of printed materials containing sensitive information, trash removal and shredding, the need for security cameras, door locks and alarm systems.
No. 5 – Passwords and Encryption Policy. One of the drudgeries that accompanies the cybersecurity era is the need for encryption and passwords. Who hasn’t cursed the forgotten username or password? Sadly, password management is now just something that has to be done – like doing the laundry. However, a thoughtful password and encryption policy can systematize password and encryption management practices for your business. By applying the sensitivity/ security axiom explained above, different levels of password security and encryption can be employed to make it less hassle to access less sensitive data.
No. 6 – Insurance. No matter how robust your cybersecurity tool is, no company is impermeable and where there is risk, there is insurance. Your company should understand whether and to what extent its insurance policies cover cyberattack incidents and damages caused. Many insurance companies and professional firms will provide cybersecurity risk assessments. Some insurance companies are also now offering cyber insurance policies. Cyber insurance is still in an incipient stage of development. Many questions remain about premium amounts, underwriting risk, coverage, government regulation of cyber insurance products, liability limits and overlapping coverage – all of which point to a larger question for small and medium-sized businesses of whether purchasing a cyber insurance policy is worth the money spent on premiums. Small and medium-sized businesses should understand what their existing insurance policy covers, ask their carrier if they off er cybersecurity risk assessments and then, evaluate the cost-benefit of cybersecurity insurance.
No. 7 – Incident Response Plan. If and when your company is the victim of an attack, your company should have a plan in place for how to respond. Seth Northrop, an attorney at Robins Kaplan, wrote a great article on this topic in the April issue of Attorney at Law Magazine and we refer you to it for a primer on developing an incident response plan.
No. 8 – Training. Last and definitely not least – the best laid plans are worthless if employees are not trained to follow them. Every company should invest in cybersecurity training for its employees. According to IBM’s 2014 Cyber Security Intelligence Index, human error was a component of 95 percent of all security incidents. Employee training should be comprehensive and thoroughly address all of the subjects discussed in this article. Training should occur annually and training materials updated regularly.
The threat posed by cyberattack is very real for today’s businesses and it is proliferating and constantly mutating. Small and mid-sized businesses are not immune from hacking, data loss or security breaches. By taking proactive steps to develop and implement cybersecurity policies, plans and practices, small and medium-sized businesses can develop a toolkit to manage and mitigate their risk.
Tony Mendoza is the founder and owner of Mendoza Law, LLC and leads his firm’s communications law practice. He can be reached at firstname.lastname@example.org or visit mendozalawoffice.com. Shawn Dobbins is an attorney with Mendoza Law, LLC and has advised domestic and multinational clients at the intersection of law, technology, and business for a decade— in the courtroom, company conference room, and at the negotiating table.